© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks

Presentation_ID 2 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Chapter Introduction 8.1 Syslog 8.2 SNMP 8.3 NetFlow 8.4 Summary

Presentation_ID 3 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Chapter 8: Objectives  Explain syslog operation in a small-to-medium-sized business network.  Configure syslog to compile messages on a small-to-medium-sized business network management device.  Explain syslog operation in small-to-medium-sized business network.  Configure SNMP to compile messages on a small-to-medium-sized business network.  Describe NetFlow operation in a small-to-medium-sized business network.  Configure NetFlow data export on a router.  Examine sample NetFlow data to determine traffic patterns.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID Syslog

Presentation_ID 5 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Syslog Operation Introduction to Syslog

Presentation_ID 6 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Syslog Operation

Presentation_ID 7 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Syslog Operation Syslog Message Format

Presentation_ID 8 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Syslog Operation Syslog Message Format

Presentation_ID 9 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Syslog Operation Service Timestamp  Log messages can be time-stamped and the source address of syslog messages can be set. This enhances real-time debugging and management.  The service timestamps log datetime msec command entered in global configuration mode should be entered on the device.  In this chapter, it is assumed that the clock has been set and the service timestamps log datetime msec command has been configured on all devices.

Presentation_ID 10 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring Syslog Syslog Server  The syslog server provides a relatively user-friendly interface for viewing syslog output.  The server parses the output and places the messages into pre- defined columns for easy interpretation. If timestamps are configured on the networking device sourcing the syslog messages, then the date and time of each message displays in the syslog server output.  Network administrators can easily navigate the large amount of data compiled on a syslog server.

Presentation_ID 11 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring Syslog Default Logging

Presentation_ID 12 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring Syslog Router and Switch Commands for Syslog Clients

Presentation_ID 13 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring Syslog Verifying Syslog

Presentation_ID 14 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Syslog in PT  R1(config)# service timestamps log datetime msec  R1# clock set 14:00:00 20 Mar 2014  R1(config)# logging  R1(config)# logging trap debugging  R1(config)# logging console  R1(config)# logging buffered  R1(config)# interface loopback 0  shutdown  no shutdown

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID SNMP

Presentation_ID 16 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential SNMP Operation Introduction to SNMP

Presentation_ID 17 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential SNMP Operation

Presentation_ID 18 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential SNMP Operation SNMP Agent Traps

Presentation_ID 19 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential SNMP Operation SNMP Versions There are several versions of SNMP, including:  SNMPv1 - The Simple Network Management Protocol, a Full Internet Standard, defined in RFC  SNMPv2c - Defined in RFCs 1901 to 1908; utilizes community- string-based Administrative Framework.  SNMPv3 - Interoperable standards-based protocol originally defined in RFCs 2273 to 2275; provides secure access to devices by authenticating and encrypting packets over the network. It includes these security features: message integrity to ensure that a packet was not tampered with in transit; authentication to determine that the message is from a valid source, and encryption to prevent the contents of a message from being read by an unauthorized source.

Presentation_ID 20 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential SNMP Operation Community Strings There are two types of community strings:  Read-only (ro) – Provides access to the MIB variables, but does not allow these variables to be changed, only read. Because security is so weak in version 2c, many organizations use SNMPv2c in read-only mode.  Read-write (rw) – Provides read and write access to all objects in the MIB.

Presentation_ID 21 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential SNMP Operation Management Information Base Object ID

Presentation_ID 22 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring SNMP Steps for Configuring SNMP Step 1. (Required) Configure the community string and access level (read-only or read-write) with the snmp-server community string ro | rw command. Step 2. (Optional) Document the location of the device using the snmp-server location text command. Step 3. (Optional) Document the system contact using the snmp- server contact text command.

Presentation_ID 23 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring SNMP Steps for Configuring SNMP (cont.) Step 4. (Optional) Restrict SNMP access to NMS hosts (SNMP managers) that are permitted by an ACL. Define the ACL and then reference the ACL with the snmp-server community string access-list-number-or-name command. Step 5. (Optional) Specify the recipient of the SNMP trap operations with the snmp-server host host-id [version {1 | 2c | 3 [auth | noauth | priv]}] community- string command. By default, no trap manager is defined. Step 6. (Optional) Enable traps on an SNMP agent with the snmp- server enable traps notification-types command.

Presentation_ID 24 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring SNMP Verifying SNMP Configuration

Presentation_ID 25 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring SNMP Security Best Practices

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID NetFlow

Presentation_ID 27 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential NetFlow Operation Introduction to NetFlow

Presentation_ID 28 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential NetFlow Operation Purpose of NetFlow Most organizations use NetFlow for some or all of the following key data collection purposes:  Efficiently measuring who is using what network resources for what purpose.  Accounting and charging back according to the resource utilization level.  Using the measured information to do more effective network planning so that resource allocation and deployment is well- aligned with customer requirements.  Using the information to better structure and customize the set of available applications and services to meet user needs and customer service requirements.

Presentation_ID 29 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential NetFlow Operation Network Flows NetFlow technology has seen several generations that provide more sophistication in defining traffic flows, but “original NetFlow” distinguished flows using a combination of seven key fields.  Source and destination IP address  Source and destination port number  Layer 3 protocol type  Type of service (ToS) marking  Input logical interface

Presentation_ID 30 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Configuring NetFlow NetFlow Configuration Tasks

Presentation_ID 31 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Examining Traffic Patterns Verifying NetFlow

Presentation_ID 32 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Examining Traffic Patterns NetFlow Collector Functions

Presentation_ID 33 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Examining Traffic Patterns NetFlow Analysis with a NetFlow Collector

Presentation_ID 34 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Chapter 8: Summary  Syslog, SNMP, and NetFlow are the tools a network administrator uses in a modern network to manage the collection, display, and analysis of events associated with the networking devices.  Syslog provides a rudimentary tool for collecting and displaying messages as they appear on a Cisco device console display.  SNMP has a very rich set of data records and data trees to both set and get information from networking devices.  NetFlow and its most recent iteration, Flexible NetFlow, provides a means of collecting IP operational data from IP networks.  NetFlow provides data to enable network and security monitoring, network planning, traffic analysis, and IP accounting.  NetFlow collectors provide sophisticated analysis options for NetFlow data.

Presentation_ID 35 © 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential